emotet | 75d39cde8311668ffaea4a2211eb81690af2cfb39e8407dd73fdac3e1c7cc777

General

Target

5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
Size

416KB
MD5

5b0af3dce15d92a5a7b8a37de83eeaa7
SHA1

6dcd0197106aad03ebb99fe5b48e07030eee313c
SHA256

75d39cde8311668ffaea4a2211eb81690af2cfb39e8407dd73fdac3e1c7cc777
SHA512

6c02ee833a5c348ebf81d00a27de74b727055636da4fb8cda0fbcc7f81d8627731c7af22842cb80b061f233d2f29791b1c1342c95d6fce611c7f5d28a7a4be61
SSDEEP

6144:BL0ofRj4RzQF/zpWDdnXrZ+S7fSShT7bh1XhtGpmjc95bTYDbpaX:BLVRsRzQDWDxZ+gf17bh1XEm4ffobpaX

Score

10^/10

emotet epoch3 banker trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

178.153.91.22:80

92.17.138.248:80

114.183.140.94:80

172.105.213.30:80

69.30.205.162:7080

50.63.13.135:8080

192.161.190.171:8080

210.111.160.220:80

181.44.166.242:80

41.218.118.66:80

46.17.6.116:8080

142.93.87.198:8080

113.52.135.33:7080

187.177.155.123:990

172.90.70.168:443

198.57.217.170:8080

123.142.37.165:80

95.216.212.157:8080

187.250.92.82:80

216.75.37.196:8080

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 4 IoCs

Processes:

footerlua.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	footerlua.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	footerlua.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	footerlua.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	footerlua.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

footerlua.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	footerlua.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	footerlua.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	footerlua.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

footerlua.exe

pid	process
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe
4296	footerlua.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe

pid process

1160 5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe

pid	process
1160	5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exefooterlua.exefooterlua.exe

pid	process
3288	5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
1160	5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
1672	footerlua.exe
4296	footerlua.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exefooterlua.exe

description	pid	process	target process
PID 3288 wrote to memory of 1160	3288	5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe	5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
PID 3288 wrote to memory of 1160	3288	5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe	5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
PID 3288 wrote to memory of 1160	3288	5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe	5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
PID 1672 wrote to memory of 4296	1672	footerlua.exe	footerlua.exe
PID 1672 wrote to memory of 4296	1672	footerlua.exe	footerlua.exe
PID 1672 wrote to memory of 4296	1672	footerlua.exe	footerlua.exe

C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Local\Temp\5b0af3dce15d92a5a7b8a37de83eeaa7_JaffaCakes118.exe
--ba70c300
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Windows\SysWOW64\footerlua.exe
"C:\Windows\SysWOW64\footerlua.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\footerlua.exe
--d0db2173
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d28bdbffaae6a126e5b3e8418d19968a_5fd6b8d9-48b3-42c0-adc7-08f9fe7c965e

Filesize
50B

MD5
4fda44f94340e6d3e4400360a1d25a01

SHA1
5d09264f7d0c020fd0522ba4017b712f1e505705

SHA256
58c68b9e7b841ce312f0d780b4939acdcf7fde25b89034bd568b3709e687e58a

SHA512
0756b8b65af19d587b9e265e392c4208beeffc2662bee705ce63b3b9aea7a2ee0aec0dfde8c888cced9282f9173a8a5a22648e005509ec612e99b14d7971b2e1

Download Submit
memory/1160-6-0x0000000002160000-0x0000000002177000-memory.dmp

Filesize
92KB

Download
memory/1160-17-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1672-12-0x0000000000F40000-0x0000000000F57000-memory.dmp

Filesize
92KB

Download
memory/3288-5-0x0000000002360000-0x0000000002371000-memory.dmp

Filesize
68KB

Download
memory/3288-0-0x0000000002380000-0x0000000002397000-memory.dmp

Filesize
92KB

Download
memory/4296-20-0x0000000000E30000-0x0000000000E47000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads